VA missing another hard drive

The hard drive that the Veterans Affairs Department reported missing last week may have contained data on 1.8 million individuals, including sensitive VA data for 539,000 individuals. The agency next week will send notification to those potentially affected.

The investigation also revealed that data for 1.3 million non-VA physicians, both living and deceased, may have been stored on the hard drive. Most of the physician data may be considered readily available to the public, but some of the files may contain sensitive information, VA said.

The agency used the non-VA physician data to analyze and compare information about the health care veterans received from both VA and non-VA health care providers.

VA last week said a portable hard drive used by an employee at a VA facility in Birmingham, Ala., was missing and may have been stolen.

VA's Office of Inspector General, notified the next day, opened a criminal investigation, sent special agents to the medical center and alerted the FBI. VA's Office of Information and Technology also dispatched an incident response team to investigate, VA Secretary Jim Nicholson said.

The OIG seized the employee's work computer and began analyzing its contents. VA also initiated an administrative investigation to determine how such an incident could have occurred.

The agency placed the employee on administrative leave pending the outcome of the investigation.

'VA will continue working around the clock to determine every possible detail we can. I am concerned and will remain so until we have notified those potentially affected and get to the bottom of what happened,' Nicholson said.

VA has encrypted its notebook computers and is in the process of protecting other portable devices in the wake of a dramatic breach last May in which a notebook computer containing the personal data of millions of veterans was stolen from an employee's home. In response, Nicholson centralized VA's IT organization.

VA has the ability to centrally store encrypted data for password-protected download by authorized users, said Rep. Steve Buyer (R-Ind.), the ranking Republican on the House Veterans Affairs Committee. As committee chairman, Buyer led years of oversight hearings to push the agency toward centralization. Yet the data was not totally encrypted and was stored on a VA-owned external drive highly vulnerable to loss or theft.

'It is disappointingly clear that much of the secretary's bureaucracy ' primarily (but not exclusively) managers, chiefs and directors of staffs and facilities ' prefers the status quo to progress and the directives of the secretary,' Buyer said.